diff --git a/bundles/jenkins-ci/files/jenkins.service b/bundles/jenkins-ci/files/jenkins.service
new file mode 100644
index 0000000..2fd24ad
--- /dev/null
+++ b/bundles/jenkins-ci/files/jenkins.service
@@ -0,0 +1,40 @@
+[Unit]
+Description=Jenkins Continuous Integration Server
+Requires=network.target
+After=network.target
+
+[Service]
+Type=simple
+NotifyAccess=main
+ExecStart=/usr/bin/java -Djava.awt.headless=true -Xmx512m -Djava.net.preferIPv4Stack=true -jar /usr/share/jenkins/jenkins.war --httpPort=22010 --httpListenAddress=127.0.0.1
+Restart=always
+RestartSec=10
+
+User=jenkins
+Group=jenkins
+
+Environment="JENKINS_HOME=/var/lib/jenkins"
+WorkingDirectory=/var/lib/jenkins
+
+LimitNOFILE=8192
+LimitNPROC=256
+
+UMask=0022
+
+NoNewPrivileges=true
+ProtectSystem=true
+ReadOnlyPaths=/
+ReadWritePaths=${' '.join(sorted(read_write_paths))}
+PrivateTmp=true
+PrivateDevices=true
+PrivateUsers=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+
+
+[Install]
+WantedBy=multi-user.target
diff --git a/bundles/jenkins-ci/items.py b/bundles/jenkins-ci/items.py
index 03e627e..476bd82 100644
--- a/bundles/jenkins-ci/items.py
+++ b/bundles/jenkins-ci/items.py
@@ -22,6 +22,16 @@ files = {
     '/var/lib/jenkins/.ssh/config': {
         'source': 'ssh-config',
     },
+    '/etc/systemd/system/jenkins.service': {
+        'content_type': 'mako',
+        'context': {
+            'read_write_paths': node.metadata.get('jenkins-ci/writeable_paths'),
+        },
+        'triggers': {
+            'action:systemd-reload',
+            'svc_systemd:jenkins:restart',
+        },
+    }
 }
 
 if node.metadata.get('jenkins-ci/install_ssh_key', False):
diff --git a/bundles/jenkins-ci/metadata.py b/bundles/jenkins-ci/metadata.py
index 18c9799..09906a4 100644
--- a/bundles/jenkins-ci/metadata.py
+++ b/bundles/jenkins-ci/metadata.py
@@ -21,6 +21,11 @@ defaults = {
             '/var/lib/jenkins',
         },
     },
+    'jenkins-ci': {
+        'writeable_paths': {
+            '/var/lib/jenkins',
+        },
+    },
     'zfs': {
         'datasets': {
             'tank/jenkins': {
diff --git a/nodes/rx300.py b/nodes/rx300.py
index 1b6502f..636aeb0 100644
--- a/nodes/rx300.py
+++ b/nodes/rx300.py
@@ -152,6 +152,10 @@ nodes['rx300'] = {
         'jenkins-ci': {
             'install_ssh_key': True,
             'domain': 'jenkins.franzi.business',
+            'writeable_paths': {
+                '/var/www/franzi.business', # for deployment task
+                '/var/www/unicornsden', # for deployment task
+            },
         },
         'letsencrypt': {
             'concat_and_deploy': {